Presentation(group j)implementing trustworthy computing by Sundas Ilyas

Group Members:

Sundas Ilyas(12-Arid-1909)

Adnan Ashraf(12-Arid-1900)

The term Trustworthy Computing(TwC) has been applied to computing systems that are inherently secure, available, and reliable.

Example

More recently, Microsoft has adopted the term Trustworthy

Computing as the title of a company initiative to improve public trust in its own commercial offerings.

Security:Microsoft’s first pillar of Trustworthy Computing is

security.

Technology Investment-Investing expertise.

Responsible Leadership-Working with law enforcement agencies, government experts etc.

Customer Guidance and Engagement-Educating consumers with training and information.

Privacy:

Microsoft has privacy as the second pillar for Trustworthy Computing.

• In a world of spam, hackers, and unwanted pop-ups, computer users need to feel empowered with the tools and computing products, especially when it comes to protecting their personal information.

• Contribute to standards and policies created by industry organizations and government for privacy.

Reliability:

Microsoft’s third pillar of Trustworthy Computing is reliability.

Six key attributes have been defined for a reliable system:

• Resilient:

• Recoverable:

• Controlled:

• Undisruptable:

• Predictable:

Business Integrity:

Microsoft’s fourth pillar of Trustworthy Computing is business integrity.

Be responsive—take responsibility for problems and take action to correct them.

Be transparent—be open in dealings with customers, keep motives clear, keep promises, and make sure customers know where they stand in dealing with the

company.

According to the ASIS General Security Risk Assessment Guideline: Risk assessment is the “process of assessing security-related risks from internal and external threats to an entity, its assets, or personnel.”

General Security Risk Assessment:1)Identify the people and assets at risk:

Priority is typically given to those assets that support the organization’s mission and the meeting of its primary business goals.

2)Identify the loss events:

Identify the loss events or the risks or threats that could occur, such as a distributed denial-of-service attack (an attempt to make a machine or network resource unavailable to its intended users) or insider fraud.

3) Frequency of Events:

Frequency of events relates to the regularity of the loss event e.g. shopping mall.

4)Impact of Events:

Would the threat have a minor impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time?

5) Options to mitigate(reduce ):

Determine how each threat can be mitigated so that it becomes much less. e.g. installing virus protection on all computers.

6) Feasibility of options:

Assess the feasibility of implementing the mitigation options.

7)Cost-benefit analysis:

A process in planning, related to the decision to commit funds or assets.

Cost of control does not exceed the system’s benefits or the risks involved.

Security policy

Security policy is a definition of what it means to be secure for a system, organization or other entity.

A security policy outlines what needs to be done but not how to do it.

For example, if a written policy states that passwords must be changed every 30 days, then all systems should be configured to enforce this policy automatically.

Critical Security Issues The use of e-mail attachments is a critical security

issue that should be addressed in every organization’s security policy.

The use of wireless devices to access corporate e-mail etc,

Mobile devices such as smartphones can be susceptible to viruses and worms.

In some cases, users of laptops and mobile devices must use a virtual private network to gain access to their corporate network.

Employees, contractors, and part-time workers must be educated about the importance of security so that they will be motivated to understand and follow the security policies:

Teaching workers how to protect your company’s network can bolster your small business defences.

Engage in ongoing security training.

Make security personal

Be accessible to users

Tell users what to do